The National Privacy Commission (NPC) issued a statement on Tuesday, August 11, refuting a statement by Department of Interior and Local Government (DILG) secretary Eduardo Año that the Data Privacy Act has become one of the stumbling blocks in contract tracing for persons afflicted with Covid-19.
The NPC said the Data Privacy Act (DPA) is not a hindrance to contact tracing initiatives, stressing that it seeks to protect individuals from discrimination, harassment, and acts of social vigilantism amid the Covid-19 pandemic.
“We want to clarify that the DPA does not prevent hospitals from sharing a Covid-19 patient’s data to proper authorities. The law recognizes the guidelines set by DOH on contact tracing procedures that hospitals, LGUs, and contact tracers must follow. In this pandemic, public health and data privacy are on the same side,” NPC chair Raymund E. Liboro said in a statement.
“The DPA should not be used as an excuse for not providing Covid patient data necessary for LGU contact tracing that we need to combat the pandemic,” Liboro said as noted that hospitals are mandated to collect information from patients and provide it to the authorities under the guidelines set by the Department of Health (DOH).
“Likewise, we call on the individuals affected by Covid to be truthful when providing accurate health information,” he added.
When asked if there were any challenges in terms of contact tracing, Año was quoted by Inquirer.net as saying : “Isa nating balakid dyan ay ‘yung data privacy law natin, hindi nagbibigay ng full information.”
But Liboro emphasized that public and private health institutions, companies, and individuals involved in the Covid-19 response must “collect and process what is necessary and disclose data only to the proper authorities.”
“The NPC has provided public health emergency bulletins, advisory opinions as guidance for personal information controllers, especially healthcare providers. Our Commission has been coordinating closely with the Department of Health to ensure that the DPA will not be an obstruction in the proper conduct of contact tracing,” the NPC chief said.
In Advisory Opinion 2020-022, in a response to the request of the Private Hospitals Association of the Philippines for clarification of contact tracing protocols, the NPC cited as bases DOH’s Updated Guidelines on Contact Tracing, which limits the disclosure of Covid-19 personal data, and the DOH-NPC Joint Memorandum Circular (JMC) on the Privacy Guidelines on the Processing and Disclosure of Covid-19 Related Data for Disease Surveillance and Response.
The guidelines provide that disclosure of patient identifiers or data is allowed but limited only to authorized entities, officers, and personnel.
Any disclosure must serve “a public purpose or function” that would allow relevant authorities to reach those who may have come into close contact with a Covid-19 positive individual so they may be promptly alerted and provided preventive counseling or care.
The guidelines prohibit disclosure of names and other personal identifiers that can single out a patient to the public, the media, or any other public-facing platforms without the patient’s written consent or his/her authorized representative or next of kin.
Risks of publicly naming infected individuals
The DOH and NPC advise against publicly naming data subjects suspected of having contracted Covid-19 or confirmed positive for the disease connected with contact tracing efforts.
“Publicly naming an infected individual is equivalent to putting a person’s life at risk, given the physical assaults and discrimination which suspected or confirmed individuals had experienced. Fearing possible harassment and stigma, people may hide their true conditions, leading to lost opportunities in tracking the disease and contact tracing. The policy is counterproductive, will not result to better contact tracing, and will put more lives of front liners at risk,” Liboro said.
The latest NPC advisory opinion on contact tracing reiterated that collection and processing of data must be fully aware of the principles laid out by the DPA and that secure disposal of personal data from records, whether manually or digitally obtained, must be done once the purpose of their collection had been achieved.
Liboro also reasserted the points in NPC Bulletin No. 3 issued in May. “Again, the DPA is not a hindrance to contact tracing efforts and the guidance it provides is necessary, especially in these unfamiliar times, to preserve the basic right of people to data privacy and protection, and build trust,” he said.